Validate NPM package names in URLs
This commit is contained in:
parent
db53a296aa
commit
9d15462006
|
@ -33,7 +33,8 @@
|
||||||
"redis": "^2.7.1",
|
"redis": "^2.7.1",
|
||||||
"semver": "^5.3.0",
|
"semver": "^5.3.0",
|
||||||
"tar-fs": "^1.15.2",
|
"tar-fs": "^1.15.2",
|
||||||
"throng": "^4.0.0"
|
"throng": "^4.0.0",
|
||||||
|
"validate-npm-package-name": "^3.0.0"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"autoprefixer": "6.7.2",
|
"autoprefixer": "6.7.2",
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
const validateNPMPackageName = require('validate-npm-package-name')
|
||||||
const PackageURL = require('../PackageURL')
|
const PackageURL = require('../PackageURL')
|
||||||
|
|
||||||
const ValidQueryKeys = {
|
const ValidQueryKeys = {
|
||||||
|
@ -21,10 +22,16 @@ function parseURL(req, res, next) {
|
||||||
if (url == null)
|
if (url == null)
|
||||||
return res.status(403).type('text').send(`Invalid URL: ${req.url}`)
|
return res.status(403).type('text').send(`Invalid URL: ${req.url}`)
|
||||||
|
|
||||||
|
const nameErrors = validateNPMPackageName(url.packageName).errors
|
||||||
|
|
||||||
|
// Do not allow invalid package names.
|
||||||
|
if (nameErrors)
|
||||||
|
return res.status(403).type('text').send(`Invalid package name: ${url.packageName} (${nameErrors.join(', ')})`)
|
||||||
|
|
||||||
// Do not allow unrecognized query parameters because
|
// Do not allow unrecognized query parameters because
|
||||||
// some people use them to bust the cache.
|
// some people use them to bust the cache.
|
||||||
if (!queryIsValid(url.query))
|
if (!queryIsValid(url.query))
|
||||||
return res.status(403).type('text').send(`Invalid query: ${JSON.stringify(url.query)}`)
|
return res.status(403).type('text').send(`Invalid query: ${url.search}`)
|
||||||
|
|
||||||
req.packageName = url.packageName
|
req.packageName = url.packageName
|
||||||
req.packageVersion = url.packageVersion
|
req.packageVersion = url.packageVersion
|
||||||
|
|
38
yarn.lock
38
yarn.lock
|
@ -1007,6 +1007,10 @@ builtin-status-codes@^3.0.0:
|
||||||
version "3.0.0"
|
version "3.0.0"
|
||||||
resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8"
|
resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8"
|
||||||
|
|
||||||
|
builtins@^1.0.3:
|
||||||
|
version "1.0.3"
|
||||||
|
resolved "https://registry.yarnpkg.com/builtins/-/builtins-1.0.3.tgz#cb94faeb61c8696451db36534e1422f94f0aee88"
|
||||||
|
|
||||||
byte-length@^0.1.1:
|
byte-length@^0.1.1:
|
||||||
version "0.1.1"
|
version "0.1.1"
|
||||||
resolved "https://registry.yarnpkg.com/byte-length/-/byte-length-0.1.1.tgz#e9b4774dbce7c59764bf5be87c302789a88738c3"
|
resolved "https://registry.yarnpkg.com/byte-length/-/byte-length-0.1.1.tgz#e9b4774dbce7c59764bf5be87c302789a88738c3"
|
||||||
|
@ -3177,7 +3181,7 @@ json-stable-stringify@^1.0.0, json-stable-stringify@^1.0.1:
|
||||||
dependencies:
|
dependencies:
|
||||||
jsonify "~0.0.0"
|
jsonify "~0.0.0"
|
||||||
|
|
||||||
json-stringify-safe@5.0.1, json-stringify-safe@^5.0.1, json-stringify-safe@~5.0.1:
|
json-stringify-safe@^5.0.1, json-stringify-safe@~5.0.1:
|
||||||
version "5.0.1"
|
version "5.0.1"
|
||||||
resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb"
|
resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb"
|
||||||
|
|
||||||
|
@ -3390,10 +3394,6 @@ lru-cache@^4.0.1:
|
||||||
pseudomap "^1.0.1"
|
pseudomap "^1.0.1"
|
||||||
yallist "^2.0.0"
|
yallist "^2.0.0"
|
||||||
|
|
||||||
lsmod@1.0.0:
|
|
||||||
version "1.0.0"
|
|
||||||
resolved "https://registry.yarnpkg.com/lsmod/-/lsmod-1.0.0.tgz#9a00f76dca36eb23fa05350afe1b585d4299e64b"
|
|
||||||
|
|
||||||
macaddress@^0.2.8:
|
macaddress@^0.2.8:
|
||||||
version "0.2.8"
|
version "0.2.8"
|
||||||
resolved "https://registry.yarnpkg.com/macaddress/-/macaddress-0.2.8.tgz#5904dc537c39ec6dbefeae902327135fa8511f12"
|
resolved "https://registry.yarnpkg.com/macaddress/-/macaddress-0.2.8.tgz#5904dc537c39ec6dbefeae902327135fa8511f12"
|
||||||
|
@ -4364,16 +4364,6 @@ range-parser@^1.0.3, range-parser@~1.2.0:
|
||||||
version "1.2.0"
|
version "1.2.0"
|
||||||
resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
|
resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
|
||||||
|
|
||||||
raven@^1.2.1:
|
|
||||||
version "1.2.1"
|
|
||||||
resolved "https://registry.yarnpkg.com/raven/-/raven-1.2.1.tgz#949c134db028a190b7bbf8f790aae541b7c020bd"
|
|
||||||
dependencies:
|
|
||||||
cookie "0.3.1"
|
|
||||||
json-stringify-safe "5.0.1"
|
|
||||||
lsmod "1.0.0"
|
|
||||||
stack-trace "0.0.9"
|
|
||||||
uuid "3.0.0"
|
|
||||||
|
|
||||||
rc@^1.1.7:
|
rc@^1.1.7:
|
||||||
version "1.2.1"
|
version "1.2.1"
|
||||||
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.1.tgz#2e03e8e42ee450b8cb3dce65be1bf8974e1dfd95"
|
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.1.tgz#2e03e8e42ee450b8cb3dce65be1bf8974e1dfd95"
|
||||||
|
@ -4954,10 +4944,6 @@ sshpk@^1.7.0:
|
||||||
jsbn "~0.1.0"
|
jsbn "~0.1.0"
|
||||||
tweetnacl "~0.14.0"
|
tweetnacl "~0.14.0"
|
||||||
|
|
||||||
stack-trace@0.0.9:
|
|
||||||
version "0.0.9"
|
|
||||||
resolved "https://registry.yarnpkg.com/stack-trace/-/stack-trace-0.0.9.tgz#a8f6eaeca90674c333e7c43953f275b451510695"
|
|
||||||
|
|
||||||
"statuses@>= 1.3.1 < 2", statuses@~1.3.1:
|
"statuses@>= 1.3.1 < 2", statuses@~1.3.1:
|
||||||
version "1.3.1"
|
version "1.3.1"
|
||||||
resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.3.1.tgz#faf51b9eb74aaef3b3acf4ad5f61abf24cb7b93e"
|
resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.3.1.tgz#faf51b9eb74aaef3b3acf4ad5f61abf24cb7b93e"
|
||||||
|
@ -5342,14 +5328,14 @@ utils-merge@1.0.0:
|
||||||
version "1.0.0"
|
version "1.0.0"
|
||||||
resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.0.tgz#0294fb922bb9375153541c4f7096231f287c8af8"
|
resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.0.tgz#0294fb922bb9375153541c4f7096231f287c8af8"
|
||||||
|
|
||||||
uuid@3.0.0, uuid@^3.0.0:
|
|
||||||
version "3.0.0"
|
|
||||||
resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.0.0.tgz#6728fc0459c450d796a99c31837569bdf672d728"
|
|
||||||
|
|
||||||
uuid@^2.0.2:
|
uuid@^2.0.2:
|
||||||
version "2.0.3"
|
version "2.0.3"
|
||||||
resolved "https://registry.yarnpkg.com/uuid/-/uuid-2.0.3.tgz#67e2e863797215530dff318e5bf9dcebfd47b21a"
|
resolved "https://registry.yarnpkg.com/uuid/-/uuid-2.0.3.tgz#67e2e863797215530dff318e5bf9dcebfd47b21a"
|
||||||
|
|
||||||
|
uuid@^3.0.0:
|
||||||
|
version "3.0.0"
|
||||||
|
resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.0.0.tgz#6728fc0459c450d796a99c31837569bdf672d728"
|
||||||
|
|
||||||
validate-npm-package-license@^3.0.1:
|
validate-npm-package-license@^3.0.1:
|
||||||
version "3.0.1"
|
version "3.0.1"
|
||||||
resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.1.tgz#2804babe712ad3379459acfbe24746ab2c303fbc"
|
resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.1.tgz#2804babe712ad3379459acfbe24746ab2c303fbc"
|
||||||
|
@ -5357,6 +5343,12 @@ validate-npm-package-license@^3.0.1:
|
||||||
spdx-correct "~1.0.0"
|
spdx-correct "~1.0.0"
|
||||||
spdx-expression-parse "~1.0.0"
|
spdx-expression-parse "~1.0.0"
|
||||||
|
|
||||||
|
validate-npm-package-name@^3.0.0:
|
||||||
|
version "3.0.0"
|
||||||
|
resolved "https://registry.yarnpkg.com/validate-npm-package-name/-/validate-npm-package-name-3.0.0.tgz#5fa912d81eb7d0c74afc140de7317f0ca7df437e"
|
||||||
|
dependencies:
|
||||||
|
builtins "^1.0.3"
|
||||||
|
|
||||||
value-equal@^0.2.0:
|
value-equal@^0.2.0:
|
||||||
version "0.2.1"
|
version "0.2.1"
|
||||||
resolved "https://registry.yarnpkg.com/value-equal/-/value-equal-0.2.1.tgz#c220a304361fce6994dbbedaa3c7e1a1b895871d"
|
resolved "https://registry.yarnpkg.com/value-equal/-/value-equal-0.2.1.tgz#c220a304361fce6994dbbedaa3c7e1a1b895871d"
|
||||||
|
|
Loading…
Reference in New Issue